Ransomware poses as police, demands fine

Posted December 22, 2011 - 09:09
by
Kate Taylor

Microsoft's warning users about a new scam in which hackers pose as law enforcement officials and demand payment of a fine.

It's not yet been spotted in the US, but has been targeting users across Europe, with messages purporting to be from the German, Swiss, British, Spanish or Dutch police, amongst many other organizations. Microsoft says the hackers have gone to quite some effort to create all the different variants.

"Upon execution, the ransomware locks the computer, displays the localized screen... and demands the payment of a 'fine' for the supposed possession of illicit material," Microsoft warns.

"In order to make the computer functional again, the user is asked to transfer money via a legitimate online payment service, such as Paysafecard or Ukash, to the supposed authorities. These services are not involved in any way with the scammers' scheme; instead, they are being used for malicious purposes."

The malware is distributed through drive-by downloads, using the Blackhole Exploit Kit; this contains exploits for unpatched installations of Adobe Reader, Flash Player, Java and Windows and disributes malware families including Worm:Win32/Gamarue, PWS:Win32/Zbot, Rogue:Win32/Winwebsec, Trojan:Win32/FakeSysdef and PWS:Win32/Sinowal.

Upon execution, each of the ransomware versions locks the computer, supposedly because illegal activity has been detected.

"Attention! Illegal activity was detected. The operating system was locked for infringement against the laws of Switzerland. Your IP address is <removed>," reads the Swiss version.

"From this IP address, sites containing pornography, child pornography, bestiality and violence against children were browsed. Your computer also has video files with pornographic content, elements of violence and child pornography. Emails with terrorist background were also spammed. This serves to lock the computer to stop your illegal activities."

It then goes on to demand payment of a 'fine'.

"Considering the wide distribution of scams such as this ransomware, it's clear that there's a lot of money at stake," says Microsoft.

"That's why the bad guys invest in making their scams look more convincing for the unsuspecting user."